policy (Security IKE)
Syntax
policy policy-name { blocklist blocklist-name; certificate { local-certificate certificate-id; peer-certificate-type (pkcs7 | x509-signature); policy-oids [ oid ]; trusted-ca { ca-profile ca-profile-name; trusted-ca-group trusted-ca-group-name; } } description description; mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key); seeded-pre-shared-key (ascii-text key | hexadecimal key); proposal-set (basic | compatible | prime-128 | prime-256 | standard | suiteb-gcm-128 | suiteb-gcm-256); proposals proposal-name; reauth-frequency number; }
Hierarchy Level
[edit security ike]
Description
IKE policies define a combination of security parameters (IKE proposals) to be used during IKE negotiation, including peer address, the preshared key for the given peer, and the proposals needed for that connection. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.
IKE proposals in the policy
statement are evaluated in list order,
from top to bottom, so when creating the policy, specify the highest priority
proposal first, followed by the next highest priority, and so on.
Options
policy-name
—Name of the IKE policy. The policy
name can be up to 32 alphanumeric characters long.
blocklist blocklist-name
—Specify the name of the
corresponding remote peer's IKE identity blocklist. The blocklist is used for
blocking IKE-IDs during IKE SA negotiation authentication phase.
certificate
—Specify usage of a digital certificate to authenticate
the virtual private network (VPN) initiator and recipient. For more information, See
certificate.
description description
—Specify the description
of IKE policy.
mode
—Define the mode used for Internet Key Exchange (IKE) Phase 1
negotiations. Use aggressive mode only when you need to initiate an IKE key exchange
without ID protection, as when a peer unit has a dynamically assigned IP address.
IKEv2 protocol does not negotiate using mode configuration. The device deletes
existing IKE and IPsec SAs when you update the mode
configuration
in the IKE policy.
-
aggressive
—Aggressive mode. -
main
—Main mode. Main mode is the recommended key-exchange method because it conceals the identities of the parties during the key exchange.Configuring
mode main
for group VPN servers or members is not supported when the remote gateway has a dynamic address and the authentication method ispre-shared-keys
.
pre-shared-key
—Define a preshared key for an IKE policy. The device
deletes existing IKE and IPsec SAs when you update the
pre-shared-key
configuration in the IKE policy.
-
ascii-text key
—Specify a string of 1 to 255 ASCII text characters for the key. To include the special characters(
)
[
]
!
&
?
|
enclose either the entire key string or the special character in quotation marks; for example“str)ng”
orstr”)”ng
. Other use of quotation marks within the string is not allowed. Withdes-cbc
encryption, the key contains 8 ASCII characters. With3des-cbc
encryption, the key contains 24 ASCII characters. -
hexadecimal key
—Specify a string of 1 to 255 hexadecimal characters for the key. Characters must be hexadecimal digits0
through9
, or lettersa
throughf
orA
throughF
. Withdes-cbc
encryption, the key contains 16 hexadecimal characters. With3des-cbc
encryption, the key contains 48 hexadecimal characters.
seeded-pre-shared-key
—Define a seeded preshared key in ASCII or
hexadecimal format for an IKE policy. The seeded-pre-shared-key
is
a master key that is used to generate the pre-shared-key
for the
peers. Thus each peer will have different pre-shared-key
. The
advantage of this option is that each peer connection to gateway will have different
pre-shared key, so if one of the peer's pre-shared-key
is
compromised, then the other peers are not impacted.
The peer preshared keys are generated using the master key configured as
seeded-pre-shared-key
and shared across the peers. To view the
peer's pre-shared-key, execute the show security ike pre-shared-key
command, share and configure the displayed pre-shared key in peer's device as
pre-shared-key (in ASCII format). Master key is only configured in the gateway
device and not shared to any peer.
You can retrieve the peer preshared key using the show security ike
pre-shared-key user-id peer ike-id master-key master
key
or show security ike pre-shared-key user-id
peer ike-id gateway gateway
name
command.
-
ascii-text key
—Configure a string of 1 to 255 ASCII text characters for the key. To include the special characters(
)
[
]
!
&
?
|
enclose either the entire key string or the special character in quotation marks; for example“str)ng”
orstr”)”ng
. Other use of quotation marks within the string is not allowed. -
—Specify a string of 1 to 255 hexadecimal characters for the key. Characters must be hexadecimal digitshexadecimal key
0
through9
, or lettersa
throughf
orA
throughF
.
proposal-set
—Specify a set of default Internet Key Exchange (IKE)
proposals.
proposals proposal-name
—Specify up to four Phase
1 proposals for an IKE policy. If you include multiple proposals, use the same
Diffie-Hellman group in all of the proposals.
reauth-frequency number
—Configure the
reauthentication frequency to trigger a new IKEv2 reauthentication. Reauthentication
creates a new IKE SA, creates new child SAs within the IKE SA, and then deletes the
old IKE SA. This option is disabled by default. umber of IKE rekeys that occurs
before reauthentication occurs. If reauth-frequency
is
1
, reauthentication occurs every time there is an IKE rekey. If
reauth-frequency
is 2
, reauthentication occurs
at every other IKE rekey. If reauth-frequency
is
3
, reauthentication occurs at every third IKE rekey.
-
Default: 0 (disable)
-
Range: 0-100
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement modified in Junos OS Release 8.5.
Support for suiteb-gcm-128
and suiteb-gcm-256
options added in Junos OS Release 12.1X45-D10.
Support for policy-oids
option added in Junos OS Release
12.3X48-D10.
Support for trusted-ca
option added in Junos OS Release 18.1R1.
Support for reauth-frequency
option added in Junos OS Release
15.1X49-D60.
Support for seeded-pre-shared-key
option added in Junos OS Release
21.1R1.
Support for blocklist
option added in Junos OS Release 23.4R1.